CRITICAL
Rule Definition
Servlets must be programmed in a thread-safe manner, because the controller will share the same instance for multiple simultaneous requests. In addition to the servlet's threading model, if your intention is to store request-specific state and if your container provides clustering facilities, there's no guarantee that the same servlet instance will receive all the requests (from one user or all users) in a Web application.
The use of non static final fields within a Servlet creates a security breach as this object is shared among multiple sessions and thus can lead to confidential data leaks.
Remediation
Review the Class design. Store global information in HttpSession, or use stateful session beans that are specifically targeted for this purpose. For temporary storage in a Servlet use local variables that are scoped within the doGet or doPost methods (or the service method).
Violation Code Sample
public class SampleServlet extends HttpServlet { private String lastAddr = "nobody@nowhere.com"; // Violation public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("<html>");
Fixed Code Sample
public class SampleServlet extends HttpServlet { private static final String lastAddr = "nobody@nowhere.com"; // Fixed public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("<html>");
Reference
Sun Best Practices
Related Technologies
JEE
Technical Criterion
Secure Coding - Time and State
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.